VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 29 of 286
  • CVE-2017-11649HigMar 7, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in DrayTek Vigor AP910C devices with firmware 1.2.0_RC3 build r6594 allows remote attackers to hijack the authentication of unspecified users for requests that enable SNMP on the remote device via vectors involving goform/setSnmp.

  • CVE-2018-7733HigMar 6, 2018
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in YxtCMF 3.1. RbacController.class.php has CSRF, as demonstrated by modifying an administrator account via index.php/admin/user/add_post.html.

  • CVE-2018-7307HigMar 6, 2018
    risk 0.57cvss 8.8epss 0.01

    The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter.

  • CVE-2018-7634HigMar 1, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered e-mail address on the…

  • CVE-2018-7590HigMar 1, 2018
    risk 0.57cvss 8.8epss 0.01

    CSRF exists in Hoosk 1.7.0 via /admin/users/new/add, resulting in account creation.

  • CVE-2016-0295HigFeb 28, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the IBM BigFix Platform 9.0, 9.1, 9.2, and 9.5 before 9.5.2 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111363.

  • CVE-2018-0520HigFeb 23, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in FS010W firmware FS010W_00_V1.3.0 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors.

  • CVE-2018-0148HigFeb 22, 2018
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in the web-based management interface of Cisco UCS Director Software and Cisco Integrated Management Controller (IMC) Supervisor Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary…

  • CVE-2018-7308HigFeb 21, 2018
    risk 0.57cvss 8.8epss 0.01

    A CSRF issue was found in var/www/html/files.php in DanWin hosting through 2018-02-11 that allows arbitrary remote users to add/delete/modify any files in any hosting account.

  • CVE-2018-7219HigFeb 19, 2018
    risk 0.57cvss 8.8epss 0.01

    application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request.

  • CVE-2017-16756HigFeb 19, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Userscape HelpSpot before 4.7.2. A cross-site request forgery vulnerability exists on POST requests to the "index.php?pg=password.change" endpoint. This allows an attacker to change the password of another user's HelpSpot account.

  • CVE-2017-5796HigFeb 15, 2018
    risk 0.57cvss 8.8epss 0.02

    A Remote Cross Site Request Forgery (CSRF) vulnerability in HPE 2620 Series Network Switches version RA.15.05.0006 was found.

  • CVE-2017-5781HigFeb 15, 2018
    risk 0.57cvss 8.8epss 0.01

    A CSRF vulnerability in HPE Matrix Operating Environment version v7.6 was found.

  • CVE-2017-17552HigFeb 7, 2018
    risk 0.57cvss 8.8epss 0.02

    /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.

  • CVE-2014-5280HigFeb 6, 2018
    risk 0.57cvss 8.8epss 0.01

    boot2docker 1.2 and earlier allows attackers to conduct cross-site request forgery (CSRF) attacks by leveraging Docker daemons enabling TCP connections without TLS authentication.

  • CVE-2018-6288HigFeb 6, 2018
    risk 0.57cvss 8.8epss 0.01

    Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1.

  • CVE-2018-6467HigFeb 6, 2018
    risk 0.57cvss 8.8epss 0.01

    The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php.

  • CVE-2018-6651HigFeb 5, 2018
    risk 0.57cvss 8.8epss 0.02

    In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In…

  • CVE-2015-4179HigFeb 5, 2018
    risk 0.57cvss 8.8epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in the Codestyling Localization plugin 1.99.30 and earlier for Wordpress.

  • CVE-2017-18080HigFeb 2, 2018
    risk 0.57cvss 8.8epss 0.01

    The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.